I am looking to buy a dedicated server for my web application.But I am concerned about security to my application code and who can access to my server even dedicated server.As hosting provider provides me pre-installed OS I have concern on hosting provider access to my server even I change password.
Is there an chance to access my server by hosting provider in any case?
Yes, they will have access to your server. If virtual, they have access through the virtualization console or container root. If physical, IPMI and out-of-band management provide access. They may have access to your backups. They definitely have access to your disks...
In 2000 Microsoft published something very smart and is still (mostly) relevant today. The 10 Immutable Laws of Security http://technet.microsoft.com/library/cc722487.aspx
Rule number three is "If the bad guy has physical access to your computer it's not your computer anymore."
Fact is you should consider any computer you don't have COMPLETE physical and technical control over a potential target for compromise. Here's a link to think on: http://felipeferreira.net/?p=1259
Depends on the provider.
Usually if you change the password they don't have access anymore.
However: They have physical access.
They can just take out a disk from your RAID1 and have all your data.
They can reboot your server and reset your password, or boot from a CD and read it all, ...
If you really need the best privacy you can get, just encrypt the data. As the other answers and comments say, if you don't do that, then there are methods to get the data out of your server.
Yes, they have access to your server.
You could mess around with encryption, a locked cage in a colo, etc. But they can break the locks on the cage, or use DRAC/KVM over IP/whatever. As others have said, if they have physical access to your server they can break into it.
Go with a reputable, high-quality provider, and don't think of it as them having access to your server (which they're backing up for you). Think of it as having minions who will replace bad hardware in the middle of the night for you. If your provider is PCI compliant, this is adequate to the needs of PCI (also HIPAA, FERPA), etc. If your security needs are greater than that, you probably need your own personal data center.
Ignoring hardware for a moment, most dedicated hosting providers (on Linux) give you the credentials for the root account but when they install the OS they create a user in the wheel group for for them to login and perform maintenance when you request it, or for if you're inexperienced and forget your password.
I've yet to come across a provider that doesn't do this (my current one, iWeb, does), but I know with iWeb you can request they remove this.
You can use:
getent group root wheel adm admin
to list all users on the server in any kind of administrative role e.g. wheel (root permissions), admin etc.
"Dedicated server" + "cheap hosting" means you are renting a virtual server, not your own hardware. Fully dedicated hardware is usually many hundreds of dollars a month.
Virtual servers are fully accessible through the hypervisor / virtualization software, you will never know it happened, and they don't need a local account. Encryption won't help here as the keys are also accessible, and the encryption just announces that you have something to hide.
Co-lo ( co-location ) service providers will give you rack space for your hardware, with the condition that you, not them, are responsible for the hardware service. They will push the power button, but that's about all. If the RAM goes, you drive over to the data center and change it. They still have access to the hardware but they will have to pull the tools out to get to it.
Ultimately, your server's security is a balance between how important/unique your process is, how valuable it is to you, and how valuable it is to others. Generally, data center staff couldn't care less what you are doing until something like excessive bandwidth or a subpoena make them care.
